Information technology tools and resources at the UW
This is the official naming document for the Microsoft Infrastructure service
This document describes the syntax of identifiers in Microsoft Infrastructure (MI). It is updated as needed as MI is extended to support new functionality.
Principles and Constraints
MI not only publishes objects from other services, such as the groups service and the UW NetID service, but it also acts as the authority for other objects, such as exchange resources, contacts, and computers. This service is constrained by the UW NetID Namespace and the Groups Namespace.
Objects have multiple naming attributes: samAccountName, CN (or OU), displayName, and sometimes others (e.g. alias). For the purposes of this document, samAccountName and CN (or OU) are the naming attributes in scope and should be set to a matching value. We do not constrain displayName or other naming attributes.
Some common constraints and items worth calling out:
- Active Directory user objects, groups, contact objects and resource objects all share the same namespace and therefore are constrained by UW NetID and Group naming
- Group Policy and Computer objects are not constrained by the UW NetID and Group naming
- MI connectors that manage users and groups generally set CN and samAccountName to the same value and reflect the constraints of the least flexible of the two attributes
No restrictions in common across all object types
MI User Objects
- 1-20 octets
- Lower case ASCII letters and digits
- See UW NetID Namespace
MI Contact Objects
- 6-13 octets
- Lower case ASCII letters, digits and underscores
- Must be of the form: c_ followed by the email address with the @ replaced by an underscore
MI Computer Objects
- Several attributes are in scope, and there are different but related guidelines for each. Details are at https://itconnect.uw.edu/wares/msinf/design/policy/ou-practices/#computerNamespace.
- For the purposes of the identifier that other services use for MI computer objects, samAccountName is used. It has a trailing $ character which differentiates it from other possible objects.
- Existing computer naming reservations are documented at https://wiki.cac.washington.edu/x/DdtdB.
NOTE: This also applies to Group Managed Service Account (gMSA) Objects.
MI Group Objects
- 1-64 octets
- See Groups Namespace
NOTE: MI-only groups are possible (but discouraged) which do not follow the Groups Namespace. These generally are only allowed:
- when a vendor product must use a name that does not conform, or
- there is some reason for the group to not be managed via the Groups Service
For the latter case, MI-only groups should have a prefix of g_.
MI Group Policy
- Prefixed by delegated OU name.
- Details at https://itconnect.uw.edu/wares/msinf/design/policy/ou-practices/#groupPolicy
NOTE: This also applies to IPsec Objects.
MI Resource Objects
- Prefixed by r_
- Must meet user object constraints noted above
Note: Resource objects must meet requirements of MSCA service. They currently are only created by the MSCA service and are not present in the UW NetID system and derivative systems.